Computer attack may not have originated in North Korea after all

USA Today - Evidence has surfaced that the denial-of-service attacks that crippled dozens of U.S. and South Korean web sites last week may not have been perpetrated by North Korea, as widely surmised.

Bkis Security has just disclosed analysis showing that 166,908 botted PCs from 74 countries were used in the attacks. Commands were routed through eight control servers, tied into a master server located in the United Kingdom and running the Windows Server 2003 operating system, says Bkis research director Nguyen Minh Duc.

Hanoi-based Bkis analyzed samples of the attack code at the behest of APCERT, the Korean Computer Emergency Response Team. It found bots carrying out the attacks located South Korea, the United States, China, Japan, Canada, Australia and 68 other nations. Each bot randomly connected every three minutes to one of the eight control servers to receive instructions on which website to attack next. The control servers, in turn, received commands routed through the master server.

"Having located the attacking source in the UK, we believe it is completely possible to find the hacker," says Minh Duc. "This depends on the US and South Korean governments." He said Bkis has turned over its findings to authorities in both nations.

Just because the master server was located in the UK doesn't mean the attackers were Brits. The human controller could be sitting at a keyboard anywhere in the world. However, Jayson E. Street, a cyber warfare consultant at security firm Netragard, says the attacks were more likely the work of a nation-state or perhaps mercenary hacker testing attack techniques, while purposely deflecting blame to North Korea.

A big cyberattack requires computer expertise. "North Korea doesn't have the sophistication to conduct an attack like this," says Street.

Another sign that the true attackers aren't North Koreans, and really don't want to be identified: some of the bots used in the attacks have begun to self destruct. Symantec has identified several hundred attack bots that received a second set of instructions. These machines began to erase all work files associated with office, business and development applications, says Vincent Weafer, vice president of Symantec Security Response. And the instructions also called for destroying the Master Boot program so as to render the PC inoperable the next time the user reboots.

What all that means is that some of the botted PCs carrying out the denial of service attacks subsequently began to wipe out all application files -- and ultimately self destructed. "It's kind of hard to do forensics on a machine that's been wiped," says Street.